Reducing the Attack Surface is a Fool’s Errand

Summary:We were all taught, “An ounce of prevention is worth a pound of cure.” Sounds logical, but after 20 years of failing to prevent breaches, do we still feel that way? This April Fool’s Day, let’s admit that we are over-invested in patching and prevention and that we need to shift our mindset towards a more comprehensive and effective approach.

In March, Symantec issued patches for a number of high-risk vulnerabilities in Symantec Endpoint Protection (SEP). These vulnerabilities could be used to gain elevated access within the SEP Management Console and, also, to execute arbitrary code on a device with the SEP agent. In other words, the world’s #1 corporate antivirus platform could be used to launch a fairly scary attack against the endpoints it is installed on.

This comes on the heels of a similar incident last August, when Symantec resolved a number of critical vulnerabilities that could have been used by an attacker to gain access to a customer’s infrastructure. The list of holes included authentication bypass, privilege escalation, and multiple opportunities for SQL injection.

It’s easy to blame Symantec, but in truth, this happens more than we, the security industry and the business world, would like to admit. Most major security vendors have had similar issues. But, it’s still frustrating and concerning when a security product becomes a vector for attack. It should raise questions: Did the developer take adequate care? How many undiscovered vulnerabilities remain?

Perhaps the best question is: If Symantec, the largest independent security company on the planet, can’t write vulnerability-free software 100% of the time, what chance does your average enterprise software developer have? The answer is, “not much.” After all, another word for “vulnerability” is “mistake” – as in the way that particular software was developed. Software (even security software) is written by humans and humans make mistakes.

The harsh reality is that the attack surface is simply growing too fast and is too complex to secure this way. New applications being deployed all the time, means new vulnerabilities and new opportunities for the adversary to exploit.

We were all taught, “An ounce of prevention is worth a pound of cure.” Sage advice, but we need to think more broadly. After decades focused on patching and prevention, the number of breaches continues to rise.

Fortunately, leading security organizations are starting to adopt a more comprehensive and adaptive approach to IT security that detects, denies, and disrupts the enemy across the entire lifecycle of the attack. The MITRE Corporation calls it “an active, threat-based defense.” Gartner calls it the “Adaptive Security Architecture.” Regardless of what we call it, here are a few suggestions as to how the industry can get there sooner:

First, we need continuous visibility across the organizations’ assets including devices that are both inside and outside the corporate perimeter. We need to forget about “incident response” and focus on “continuous response.” We should collect a rich set of telemetry off our devices and store it over time. While retrieval of artifacts after a breach is an important capability, it’s far better to monitor actions in real-time when you still have a chance of disrupting the attack.

Second, we need to reinvest in detection and analytics. Patching and prevention works sometimes. When they don’t, we need proactive notification that there’s a problem. Analytics and data science have gotten a lot better in recent years. We can use them to help identify malicious activity.

Third, let’s drive for more automation and integration. We’re all busy and spread too thin. We should pick our tools carefully and try to do more with less.

And, finally, let’s use these new detection and visibility capabilities to learn about our adversary, understand their techniques and motivations and get better at predicting their next move. Gather intelligence from previous attacks and use it to help prevent the next one.

This April Fool’s Day, let’s acknowledge that a security strategy focused exclusively on patching and prevention is a fool’s errand and let’s move towards an adaptive approach that includes prevention, detection, continuous visibility and response.

About the author: Paul Morville is vice president, products for Confer, a leader in endpoint detection and response, providing advanced threat prevention and incident response for endpoints, servers and cloud workloads. Visit https://www.confer.net/blog for more of Paul’s perspective.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.